[
{
“id”: “C01”,
“title”: “Complete Data Theft + Surveillance”,
“risk”: “critical”,
“permissions”: [“READ_SMS”,”READ_CONTACTS”,”ACCESS_FINE_LOCATION”,”RECORD_AUDIO”,”CAMERA”],
“minMatch”: 4,
“description”: “Comprehensive surveillance — contact harvest, location, audio/video recording.”
},
{
“id”: “C02”,
“title”: “Accessibility Exploitation”,
“risk”: “critical”,
“permissions”: [“BIND_ACCESSIBILITY_SERVICE”,”READ_SMS”,”SEND_SMS”,”READ_CONTACTS”,”WRITE_CONTACTS”],
“minMatch”: 4,
“description”: “Keystroke logging, screen capture, SMS interception, contact manipulation.”
},
{
“id”: “C03”,
“title”: “Device Lockdown + Ransom”,
“risk”: “critical”,
“permissions”: [“DEVICE_POWER”,”DISABLE_KEYGUARD”,”BIND_DEVICE_ADMIN”,”WRITE_SETTINGS”],
“description”: “Ransomware functionality — locks device, disables unlock screen.”
},
{
“id”: “C04”,
“title”: “Credential Stealing + Overlay”,
“risk”: “critical”,
“permissions”: [“SYSTEM_ALERT_WINDOW”,”READ_PHONE_STATE”,”BIND_ACCESSIBILITY_SERVICE”,”CAMERA”],
“description”: “Fake login screens + facial/credential capture via camera.”
},
{
“id”: “C05”,
“title”: “Network Interception / VPN Hijack”,
“risk”: “critical”,
“permissions”: [“CHANGE_NETWORK_STATE”,”ACCESS_NETWORK_STATE”,”BIND_VPN_SERVICE”],
“description”: “Routes all traffic through attacker-controlled server.”
},
{
“id”: “C06”,
“title”: “Call & Message Interception”,
“risk”: “critical”,
“permissions”: [“READ_SMS”,”SEND_SMS”,”READ_CALL_LOG”,”PROCESS_OUTGOING_CALLS”,”READ_PHONE_STATE”],
“minMatch”: 4,
“description”: “Full communications monitoring and interception.”
},
{
“id”: “C07”,
“title”: “Location Tracking + Contact Profiling”,
“risk”: “high”,
“permissions”: [“ACCESS_FINE_LOCATION”,”READ_CONTACTS”,”READ_CALL_LOG”],
“description”: “Comprehensive tracking and social network mapping.”
},
{
“id”: “C08”,
“title”: “Silent Recording”,
“risk”: “critical”,
“permissions”: [“RECORD_AUDIO”,”CAMERA”,”BIND_ACCESSIBILITY_SERVICE”,”WAKE_LOCK”],
“description”: “Continuous audio/video recording with no user-visible indication.”
},
{
“id”: “C09”,
“title”: “Banking Trojan Pattern”,
“risk”: “critical”,
“permissions”: [“BIND_DEVICE_ADMIN”,”SYSTEM_ALERT_WINDOW”,”READ_SMS”,”SEND_SMS”],
“description”: “Characteristic of banking trojans like Snowblind and FjordPhantom.”
},
{
“id”: “C10”,
“title”: “ClayRat / Full Spyware Pattern”,
“risk”: “critical”,
“permissions”: [“BIND_ACCESSIBILITY_SERVICE”,”READ_SMS”,”SEND_SMS”,”SYSTEM_ALERT_WINDOW”,”CAMERA”,”RECORD_AUDIO”,”READ_CONTACTS”],
“minMatch”: 5,
“description”: “Actual permission pattern from ClayRat spyware (December 2025).”
},
{
“id”: “C11”,
“title”: “Media Theft”,
“risk”: “high”,
“permissions”: [“READ_EXTERNAL_STORAGE”,”ACCESS_MEDIA_LIBRARY”,”WRITE_EXTERNAL_STORAGE”],
“minMatch”: 2,
“description”: “Steals photos, videos, documents. ACCESS_MEDIA_LIBRARY may be absent on older APIs.”
},
{
“id”: “C12”,
“title”: “OTP / Notification Credential Theft”,
“risk”: “critical”,
“permissions”: [“BIND_ACCESSIBILITY_SERVICE”,”READ_PHONE_STATE”,”SYSTEM_ALERT_WINDOW”],
“description”: “Intercepts OTPs, banking alerts, 2FA codes from notifications.”
},
{
“id”: “C13”,
“title”: “Email & Calendar Surveillance”,
“risk”: “high”,
“permissions”: [“READ_CALENDAR”,”READ_EMAIL_ADDRESSES”,”READ_CONTACTS”],
“description”: “Monitors schedules, meetings, correspondence for targeted attacks.”
},
{
“id”: “C14”,
“title”: “Package Installation Hijacking”,
“risk”: “critical”,
“permissions”: [“INSTALL_PACKAGES”,”DELETE_PACKAGES”,”REQUEST_INSTALL_PACKAGES”,”BIND_DEVICE_ADMIN”],
“minMatch”: 3,
“description”: “Silently installs/uninstalls apps; can inject malware into legitimate apps.”
},
{
“id”: “C15”,
“title”: “Bluetooth Data Theft”,
“risk”: “high”,
“permissions”: [“BLUETOOTH_ADMIN”,”ACCESS_FINE_LOCATION”],
“description”: “Hijacks Bluetooth connections; steals data from paired wearables/devices.”
},
{
“id”: “C16”,
“title”: “Sensor-Based Spying”,
“risk”: “high”,
“permissions”: [“BODY_SENSORS”,”ACCESS_FINE_LOCATION”,”RECORD_AUDIO”],
“description”: “Uses accelerometer/gyroscope to reconstruct keystrokes, infer activities.”
},
{
“id”: “C17”,
“title”: “Clipboard Hijacking”,
“risk”: “critical”,
“permissions”: [“READ_LOGS”,”BIND_ACCESSIBILITY_SERVICE”,”WRITE_EXTERNAL_STORAGE”],
“description”: “Reads clipboard (passwords, tokens, sensitive text) and exfiltrates.”
},
{
“id”: “C18”,
“title”: “Persistent Installation + Hidden Execution”,
“risk”: “critical”,
“permissions”: [“RECEIVE_BOOT_COMPLETED”,”BIND_DEVICE_ADMIN”,”CHANGE_COMPONENT_ENABLED_STATE”,”WRITE_SECURE_SETTINGS”],
“minMatch”: 3,
“description”: “Survives reboots, hides from app lists, disables security components.”
},
{
“id”: “C19”,
“title”: “Backup Data Theft”,
“risk”: “high”,
“permissions”: [“BACKUP”,”READ_EXTERNAL_STORAGE”,”ACCESS_FINE_LOCATION”],
“description”: “Accesses device backups containing app data, passwords, and personal info.”
},
{
“id”: “C20”,
“title”: “WiFi Network Mapping + Surveillance”,
“risk”: “high”,
“permissions”: [“ACCESS_WIFI_STATE”,”CHANGE_WIFI_STATE”,”ACCESS_FINE_LOCATION”,”READ_PHONE_STATE”],
“minMatch”: 3,
“description”: “WiFi-based location tracking; surveillance via network scanning.”
},
{
“id”: “C21”,
“title”: “Biometric Bypass”,
“risk”: “critical”,
“permissions”: [“USE_BIOMETRIC”,”BIND_ACCESSIBILITY_SERVICE”,”SYSTEM_ALERT_WINDOW”],
“description”: “Steals biometric data, bypasses fingerprint/face locks, creates fake auth screens.”
},
{
“id”: “C22”,
“title”: “App Usage Monitoring + Behavioral Profiling”,
“risk”: “high”,
“permissions”: [“PACKAGE_USAGE_STATS”,”READ_PHONE_STATE”,”ACCESS_FINE_LOCATION”,”RECORD_AUDIO”],
“minMatch”: 3,
“description”: “Tracks which apps you use, when, where — full behavioral profile.”
},
{
“id”: “C23”,
“title”: “Notification Listener + Message Interception”,
“risk”: “critical”,
“permissions”: [“BIND_NOTIFICATION_LISTENER_SERVICE”,”READ_SMS”,”READ_CONTACTS”],
“description”: “Reads all notifications (banking alerts, 2FA, messages) before you see them.”
},
{
“id”: “C24”,
“title”: “Account Harvesting”,
“risk”: “high”,
“permissions”: [“GET_ACCOUNTS”,”AUTHENTICATE_ACCOUNTS”,”READ_CONTACTS”],
“description”: “Extracts all linked accounts for credential abuse.”
},
{
“id”: “C25”,
“title”: “Lockscreen Hijacking + Phishing”,
“risk”: “critical”,
“permissions”: [“SET_WALLPAPER”,”SYSTEM_ALERT_WINDOW”,”DISABLE_KEYGUARD”,”BIND_ACCESSIBILITY_SERVICE”],
“minMatch”: 3,
“description”: “Replaces lockscreen with phishing UI; prevents legitimate unlock.”
},
{
“id”: “C26”,
“title”: “Remote Access Enablement”,
“risk”: “critical”,
“permissions”: [“WRITE_SECURE_SETTINGS”,”CHANGE_COMPONENT_ENABLED_STATE”,”BIND_DEVICE_ADMIN”],
“description”: “Enables USB debugging remotely; full device takeover vector.”
},
{
“id”: “C27”,
“title”: “NFC Payment Interception”,
“risk”: “high”,
“permissions”: [“NFC”,”CHANGE_NETWORK_STATE”,”ACCESS_FINE_LOCATION”],
“description”: “Intercepts NFC payments; steals payment card data; tracks via NFC beacons.”
},
{
“id”: “C28”,
“title”: “Browser History + Session Theft”,
“risk”: “high”,
“permissions”: [“READ_HISTORY_BOOKMARKS”,”READ_EXTERNAL_STORAGE”,”BIND_ACCESSIBILITY_SERVICE”],
“description”: “Steals browsing history, cookies, saved passwords, session tokens.”
},
{
“id”: “C29”,
“title”: “Microphone + WiFi Exfiltration”,
“risk”: “critical”,
“permissions”: [“RECORD_AUDIO”,”ACCESS_WIFI_STATE”,”CHANGE_WIFI_STATE”],
“description”: “Records audio while switching to unencrypted WiFi for exfiltration.”
},
{
“id”: “C30”,
“title”: “Meeting + Social Profiling”,
“risk”: “critical”,
“permissions”: [“READ_CALENDAR”,”ACCESS_FINE_LOCATION”,”READ_CONTACTS”],
“description”: “Full profile: where you go, who you meet, when you meet them.”
},
{
“id”: “C31”,
“title”: “Call Forwarding + Interception”,
“risk”: “critical”,
“permissions”: [“READ_PHONE_STATE”,”CALL_PHONE”,”PROCESS_OUTGOING_CALLS”],
“description”: “Forwards calls to attacker; monitors all incoming/outgoing calls.”
},
{
“id”: “C32”,
“title”: “Settings Modification + Malware Persistence”,
“risk”: “critical”,
“permissions”: [“WRITE_SETTINGS”,”WRITE_SECURE_SETTINGS”,”BIND_DEVICE_ADMIN”,”RECEIVE_BOOT_COMPLETED”],
“minMatch”: 3,
“description”: “Disables security settings, auto-starts on boot, resists uninstallation.”
},
{
“id”: “C33”,
“title”: “File Access + Log Exfiltration”,
“risk”: “high”,
“permissions”: [“READ_EXTERNAL_STORAGE”,”WRITE_EXTERNAL_STORAGE”,”READ_LOGS”],
“description”: “Reads encrypted files and logs containing keys; stages for exfiltration.”
},
{
“id”: “C34”,
“title”: “Sensor-Triggered Recording”,
“risk”: “critical”,
“permissions”: [“BODY_SENSORS”,”CAMERA”,”RECORD_AUDIO”],
“description”: “Activates camera/mic only when device is in use — evades detection by timing.”
},
{
“id”: “C35”,
“title”: “SIM Card + 2FA Interception”,
“risk”: “critical”,
“permissions”: [“READ_PHONE_STATE”,”SEND_SMS”,”READ_SMS”,”CHANGE_NETWORK_STATE”],
“minMatch”: 3,
“description”: “SIM swap attacks, intercepts SIM-based 2FA, redirects calls/SMS.”
},
{
“id”: “C36”,
“title”: “Privilege Escalation via Installer”,
“risk”: “critical”,
“permissions”: [“REQUEST_INSTALL_PACKAGES”,”WRITE_SECURE_SETTINGS”,”CHANGE_COMPONENT_ENABLED_STATE”],
“description”: “Silently installs malware, escalates privileges, disables security features.”
},
{
“id”: “C37”,
“title”: “Notification + Accessibility + SMS Trojan”,
“risk”: “critical”,
“permissions”: [“BIND_NOTIFICATION_LISTENER_SERVICE”,”BIND_ACCESSIBILITY_SERVICE”,”SEND_SMS”,”READ_SMS”],
“minMatch”: 3,
“description”: “Intercepts all notifications and SMS; sends messages impersonating the user.”
},
{
“id”: “C38”,
“title”: “Full Call + Ambient Audio Recording”,
“risk”: “critical”,
“permissions”: [“RECORD_AUDIO”,”PROCESS_OUTGOING_CALLS”,”READ_CALL_LOG”],
“description”: “Records all calls and ambient audio for exfiltration.”
},
{
“id”: “C39”,
“title”: “Anti-Detection via Package Enumeration”,
“risk”: “high”,
“permissions”: [“QUERY_ALL_PACKAGES”,”BIND_DEVICE_ADMIN”,”CHANGE_COMPONENT_ENABLED_STATE”],
“description”: “Identifies installed security apps; disables them; hides malware.”
},
{
“id”: “C40”,
“title”: “Full UI Takeover”,
“risk”: “critical”,
“permissions”: [“SYSTEM_ALERT_WINDOW”,”BIND_ACCESSIBILITY_SERVICE”,”WRITE_SETTINGS”,”DISABLE_KEYGUARD”],
“minMatch”: 3,
“description”: “Takes over entire screen; blocks access to system functions.”
},
{
“id”: “C41”,
“title”: “Sensor Fusion Attack”,
“risk”: “critical”,
“permissions”: [“BODY_SENSORS”,”ACCESS_FINE_LOCATION”,”CAMERA”,”RECORD_AUDIO”],
“minMatch”: 3,
“description”: “Multi-sensor fusion to infer activities, conversations, and precise location.”
},
{
“id”: “C42”,
“title”: “Persistent Background Service”,
“risk”: “critical”,
“permissions”: [“RECEIVE_BOOT_COMPLETED”,”FOREGROUND_SERVICE”,”CHANGE_COMPONENT_ENABLED_STATE”,”WRITE_SECURE_SETTINGS”],
“minMatch”: 3,
“description”: “Survives reboots; runs invisible foreground service; resists uninstallation.”
},
{
“id”: “C43”,
“title”: “Financial Document Access”,
“risk”: “high”,
“permissions”: [“READ_EXTERNAL_STORAGE”,”GET_ACCOUNTS”,”READ_CONTACTS”],
“description”: “Accesses financial documents, banking app data, account credentials.”
},
{
“id”: “C44”,
“title”: “Keystroke Inference via Sensors”,
“risk”: “critical”,
“permissions”: [“BODY_SENSORS”,”BIND_ACCESSIBILITY_SERVICE”,”CAMERA”],
“description”: “Uses motion sensors to infer keystrokes; camera for visual confirmation.”
},
{
“id”: “C45”,
“title”: “Malware Auto-Update”,
“risk”: “critical”,
“permissions”: [“WRITE_EXTERNAL_STORAGE”,”INSTALL_PACKAGES”,”RECEIVE_BOOT_COMPLETED”],
“description”: “Downloads and silently installs malware updates; persists across reboots.”
},
{
“id”: “C46”,
“title”: “Anti-Analysis / Security Tool Evasion”,
“risk”: “critical”,
“permissions”: [“QUERY_ALL_PACKAGES”,”CHANGE_COMPONENT_ENABLED_STATE”,”WRITE_SECURE_SETTINGS”,”BIND_DEVICE_ADMIN”],
“minMatch”: 3,
“description”: “Detects and disables security/analysis tools to avoid detection.”
},
{
“id”: “C47”,
“title”: “2FA Code Interception + Auto-Fill”,
“risk”: “critical”,
“permissions”: [“BIND_NOTIFICATION_LISTENER_SERVICE”,”BIND_ACCESSIBILITY_SERVICE”,”SYSTEM_ALERT_WINDOW”],
“description”: “Intercepts 2FA codes from notifications; auto-fills or exfiltrates them.”
},
{
“id”: “C48”,
“title”: “Banking App Overlay”,
“risk”: “critical”,
“permissions”: [“SYSTEM_ALERT_WINDOW”,”BIND_ACCESSIBILITY_SERVICE”,”PACKAGE_USAGE_STATS”],
“description”: “Detects banking app launch; overlays fake login screen to steal credentials.”
},
{
“id”: “C49”,
“title”: “Complete Device Compromise”,
“risk”: “critical”,
“permissions”: [“BIND_ACCESSIBILITY_SERVICE”,”BIND_DEVICE_ADMIN”,”WRITE_SECURE_SETTINGS”,”CHANGE_COMPONENT_ENABLED_STATE”,”RECORD_AUDIO”,”CAMERA”,”READ_CONTACTS”,”READ_SMS”,”ACCESS_FINE_LOCATION”],
“minMatch”: 7,
“description”: “Full device takeover — the \”nuclear\” spyware profile.”
}
]